Rapid development of information technologies, the internet and wireless mobile communication networks resulted in a huge increase in cybercrime. According to one estimate, in 2004 cybercrime revenues were US$105 billion—more than the drug business. Cybercrime includes, inter alia, unauthorized access and eavesdropping, alteration of digital data, illegal copying, computer sabotage and computer fraud.
The growth in the number of network information and financial services against the background of significant increases in the number of cyber crimes (doubling each year, on average) makes the task of reliable remote user authentication in computer networks, including the internet, extremely important. It is thought that one in every five internet transactions remains vulnerable to fraud. Even a single-use SMS password sent to a customer's mobile phone does not guarantee desired outcome since customers rarely pay attention to the changes in their account pointed out in such text messages.
It is worth it to separately examine a category of cybercrime known as digital property theft. By using viruses, special spyware and false web pages hackers steal users' personal data (user names and passwords). This may enable hackers, for example, to gain access to and take full control over an email account at a free public email service such as Gmail email service, Yahoo! email service or Mail.ru email service, or an account at a social-networking website such as Facebook social-networking website, MySpace social-networking website or Classmates.com social-networking website. Having taken control over the account, hackers may read the user's personal correspondence, including with financial institutions, and send messages on his behalf that cause substantial harm or financial damage to the user. Thus the means of reliable, accurate and unambiguous user authentication are becoming more and more important.
Initially, software authentication implemented through a login procedure—when user specifies his user name and password—became widespread. Experience then showed that software authentication cannot provide the necessary level of data security and that special hardware-based authentication means in the form of electronic keys and biometric sensors are required. Remote authentication methods that do not require hardware keys and rely on passive authentication based on gathering and analyzing electronic user identification data were also developed. One example of such authentication is described in Patent RU No 2303811 C1, IPC G 06 F 21/22, application No 2005134419/09, published 7 Nov. 2005). Data security experts think that such authentication should augment hardware key-based authentication since it offers the highest level of security.
Due to this, the so-called security tokens and smart cards (hardware tokens, authentication tokens or cryptographic tokens)—specialized hardware keys provided by an organization to authorized users—gained widespread use. These hardware keys have special architecture (specialized microchips with protected memory, special microcontrollers, a unique ID number, hardware random number generator etc.) and are used to generate cryptographic keys and one-time passwords, to perform authentication when accessing corporate networks remotely, for cryptography of data streams and digital signatures for documents. One shortcoming of hardware keys is that one such key cannot be used in multiple corporate networks, since that will lead to increased threat of intrusion. Given that the internet offers a multitude of different services, it is evident that one user will require several hardware tokens for secure connection to different networks. Considerable cost of security tokens is also not conducive to their widespread use.
Another widely used way to establish secure connections is the so-called VPN or a virtual private network—a logical network superimposed on another network, like the internet or an intranet. Despite the fact that in this case the data traffic is carried by public networks using non-secure protocols, the use of encryption provides a way to exchange information that is closed to outsiders. A VPN makes it possible to link several offices of an organization into one network using public communication channels.
When connecting a remote user (or when establishing connection with another secure network), the access server requires the user to go through the process of identification and then authentication. Upon successful completion of both processes the remote user (or network) is granted access privileges, i.e. become an authorized user. A VPN can also be either software or hardware/software based. The use of special hardware increases the level of information security.
Another known way of remote user authentication is described in Patent EP No 0986209, IPC H 04 1 9/32, published 15 Mar. 2000. The essence of the method is as follows: electronic user identification data is stored in the authentication server's database and is then compared with identification data furnished by the user when attempting to access a secure system. This comparison is the basis for the decision whether a particular user has the required access privileges. Electronic user identification information in this method may include user biometric data such as fingerprints, palm prints, and/or iris scans that are saved in the authentication server's database. The authentication server usually also verifies such identification data as username and password. The main shortcoming of this method of remote user and system authentication is that authentication is active and thus involves exchanging substantial amounts of data (fingerprint, palm print, iris scans). This increases the vulnerability of the authentication server because an intruder may introduce false data, including computer viruses, into the data exchanged between the user and the server. Another shortcoming of the method and of the systems used to execute it is lower data transfer speeds from the user's access terminal to the authentication server due to larger data volumes (user's fingerprint, palm print, iris data). Yet another shortcoming is the need to use costly specialized equipment such as hardware to capture user biometric data like finger and palm prints and/or iris scans, etc.
There is also the “A Method of Strong Multifactor Authentication Method Of Payment Card Holders That Involves The Use Of A Mobile Phone And A Mobile Wireless Telecommunication Environment To Effect Interbank Financial Transactions In An International Payment System Using The 3-D SECURE Protocol Specification (Versions) And The System To Implement It” (Patent RU No 2301449, IPC G 06 Q 20/00, application No 2005118828/09, published 27 Dec. 2006). The invention is a means of personal identification of customers during transactions performed over mobile communication networks. Among the invention's applications is its use to perform authentication when making a payment by charge card using a mobile phone. The technical result of using this method is a financial transaction with guaranteed transaction confidentiality. When carrying out interbank financial transactions in an international payment system using the 3-D Secure protocol specification as part of a multifactor strong customer identification process involving the use of a mobile phone over a mobile communication network, four transaction steps are performed sequentially: transaction initiation; generation and delivery of authentication request; generation and delivery of a response to the authentication request; transaction execution, generation and delivery of notification on the transaction results. During each step the signal-messages are transferred between the parties using 3-D Secure specification components.
Another known payment method is implemented using a system that contains a means of generating a unique identifier for the payment amount as a response to customer payment request; the means to transmit the amount ID to the customer's mobile phone; the means to store the ID at the central data server, the means to receive the ID sent from the customer's mobile phone (the ID contains information about the payment), the means to verify (match) at least a part of the ID with a least some of the ID's already generated; and the means for indication of the ID (Patent GB No 2389693, IPC 7 GO7F 19/00, Published 17 Dec. 2003). A shortcoming of this method is the need to transmit the ID over open communication channels without additional encryption.
Another method of performing transactions using a mobile phone (or another mobile device like a pocket PC) connected to WAP or GPRS service is described in application WO 03/047208 A1, IPC 7 H04L 29/06, published 5 Jun. 2003. The method involves the following phases: receiving information about a transaction using a mobile phone; transmitting information about the transaction to the processing server to check whether the transaction is possible; if the processing server returns a positive result and the transaction is possible this information is then sent to the mobile phone via the Internet. This version's disadvantage is that the data is sent openly over the internet.
A poll commissioned by Abbey, an English bank, among one hundred of its customers has shown that only one in three (32%) of them wants to use special devices that may provide additional security of internet transactions.
Thus, the efforts of commercial banks to make online transactions more secure are not received well by their customers who do not want to buy and use special hardware keys without which it impossible to substantially increase the security of internet transactions.
The overview provided above shows that it is not possible to significantly improve the security of internet transactions without using a hardware key, but those keys are not welcomed by users.
The closest analog (prototype) to the proposed invention is the “A Method of Strong Multifactor Authentication Method Of Payment Card Holders That Involves The Use Of A Mobile Phone And A Mobile Wireless Telecommunication Environment To Effect Interbank Financial Transactions In An International Payment System Using The 3-D SECURE Protocol Specification (Versions) And The System To Implement It” (Patent RU No 2301449, IPC G 06 Q 20/00, application No 2005118828/09, published 27 Dec. 2006).